sector/

1. http://www.sector.ca/

2. CMS Consulting Inc. Microsoft Vista: How Secure is it Really? Presented at: TASKJanuary 31, 2007

3. CMS Consulting Inc. Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless Training by Experts for Experts MS Infrastructure – Security - Vista and Office Deployment Visit us online: www.cms.ca Downloads – Resources – White Papers For Security Solutions For Advanced Infrastructure For Network Solutions For Information Worker

4. CMS Training Offerings • INSPIRE Infrastructure Workshop • 4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server • Business Desktop Deployment – Deploying Vista/Office • 3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office • Securing Internet Information Services • Securing ActiveDirectory • Securing Exchange 2003 • 1 day classroom training per topic TRAINING BY EXPERTS FOR EXPERTS

5. 1. ~~~~~~~~~ 2. ~~~ ~~ ~~ 3. ~~~~ Session Goals • We let Microsoft talk… so we need a balanced view! • See what the dark side has been up to. • Is it as secure as advertised? • You may ask questions. • Research is current as of Jan 31, 2007 • You may not provide emotional rants.

6. So what is newer, bigger, “bad”-er? • User Account Control (UAC) • Windows Defender * • Windows Firewall * • Windows Security Center * • Malicious Software Removal Tool * • Software Restriction Policies * • BitLocker™ Drive Encryption • Encrypting File System (EFS) * • Rights Management Services (RMS) * • Device control • Address Space Randomization • Now 2400-ish group policy settings (* XP-SP2 had 1700) * Exists in, or downloadable for XP

7. Internet Explorer 7 • Internet Explorer Protected Mode • ActiveX Opt-in • Cross-domain scripting attack protection • Security Status Bar • Phishing Filter • Etc, etc, etc (Included here, because Microsoft always shows it as part of Vista security… yes - I know it runs on XP).

8. The Switch to Vista • If you don’t buy Vista, you should buy Office 2007 just so you can make pretty pictures like mine.

9. Switch to Mac Instead?

11. The HOT Topic… DRM! • Peter Gutmann wrote “A Cost Analysis of Windows Vista Content Protection” and called Vista DRM the “Longest Suicide Note in History” • Microsoft rebutted this. The article included some technical clarifications, but appeared mostly as a PR piece.

12. DRM Highlights • Vista will only play “premium” HD content on x64, as DRM couldn’t be implemented in their x32 OS. • This basically effects HD-DVD and BluRay playback. • High bandwidth Digital Content Protection (HDCP) compatible monitor is required. (Shame you bought that nice Dell 24” Ultrasharp) • Peter thinks a skilled attacker could bypass Vista DRM inside a week. • DRM is a big reason that Vista driver support is so limited even based on the RTM media

13. DRM Bottom Line • “Premium” content plays at very degraded quality unless policy is met. • There’s 30 checks per second to make sure DRM isn’t being bypassed (read: serious overhead) • Drivers now have a “tilt” bit, up to vendors to determine was constitutes an attack. After “tilt” detected, graphics subsystem reset • Drivers can be revoked if they are exploited… if Microsoft revokes a driver, and the vendor doesn’t release an update, do you have to buy a new video card? • Still too early to tell the fall out.

14. DRM Resources A Cost Analysis of Windows Vista Content Protection • http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html • Last Update January 27, 2007. The Official Microsoft Rebuttal • http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx

15. Windows Defender • XP and Vista only • Not supported on W2K, but ORCA edit install and it works fine • You can also use ORCA to remove WGA check • Actively scans computers for "spyware, adware, and other potentially unwanted software.” You just need to trust their definition of what’s “unwanted”

16. Windows Defender • SpyNet’s a neat idea. • Not an antivirus solution (Forefront Client Security is) • Not enterprise class (no central reporting, etc, etc) • Can distribute updates by WSUS

18. Malware • Sophos report summary: • They used the top ten November 2006 forms of malware • Windows Mail blocked all 10 • Using web mail, 3 of 10 infected Vista • Mydoom, Netsky and Stration all succeeded • All take advantage of social engineer. None took advantage of a security weakness.

19. Exploits for Sale! • Trend Micro CTO quoted in various articles claiming to see Vista 0day on auction boards for upwards of $50k • This isn’t really news. Exploits for $$$ is not new.

20. Attacks for Sale

22. $50k for an Exploit?

24. Exploit Prediction • Because I’m such an expert on the topic.  • (Ok stolen mostly from Symantec’s Vista Attack Surface paper) • The networking stack is a complete re-write. Symantec found several DoS attacks in pre-release Vista and expect more. • SMB2 • IPv6 • Loopback attacks (exploit at low level connect back to medium level process, eg. IE protected mode connect back to SMB)

25. User Account Control • The nuisance:

26. User Account Control • Power Users no longer exists (well it does, but does nothing unless you apply security template) • Harmless tasks no longer require administrator (eg. Change time zone, connect to wireless network, install approved devices) • Either on or off, no “less annoying”, or “I said yes 5 times today, I still mean yes” option • Not entirely true, there are more group policy settings available to control its behaviour (all settings=less control, more nuisance)

27. Disabling User Account Control • Method 1 - Using Control Panel • Method 2 - Using Control Panel on Single User • Method 3 - Using Registry Editor • Method 4 - Using MsConfig System Configuration • Method 5 - Using Group Policy

28. Registry/File Virtualization • When running under limited user access (LUA) failed (insufficient permission) registry and file writes get redirected (virtualized) • Registry access failures to HKLM redirect to HKCU From: HKEY_LOCAL_MACHINE\Software to: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software • File access failures also redirect From: C:\Progra~1 (C:\Program Files) to: %UserProfile%\AppData\Local\VirtualStore\C\Progra~1

29. Mildly entertaining

30. Windows Firewall • XP has Domain vs. Standard configs • Vista has Domain vs. Public vs. Private • Application outbound rules (not on by default) • Default config is same configuration as XP SP2 • IP v6 Support • New console available by MMC that’s super cool • Integration with IPSec • See Steve Riley’s TechEd presentation 102 slides on Firewall and IPSec changes

31. Comparing features

33. Encrypted File System – New in Vista • You can store User keys on smart cards. • You can store recovery keys on smart cards, allowing secure data recovery without a dedicated recovery station, even over Remote Desktop sessions. • You can encrypt the Windows paging file using EFS with a key that is generated when the system starts up. This key is destroyed when the system shuts down. • You can encrypt the Offline Files cache with EFS. In Windows Vista this encryption feature employs the user’s key instead of the system key. • EFS supports a wider range of user certificates and keys.

34. Address Space Randomization • Been used in the Unix world for over 10 years • Goal is to eliminate overflow attacks (memory space is no longer predictable) • Stack and Heap are randomized • EXE’s and DLL’s shipping as part of Vista are randomized • All other EXEs and DLLs will need to explicitly opt-in via a new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not)

35. Address Space Randomization • Vista only uses 8 bits for randomization (28=256) • An attacker has a 1/256 chance of getting an address right • Brute force is always a possibility (if the app doesn’t die first) • Side effect: memory fragmentation

36. Address Space Randomization • Ali Rahbar demonstrates in this whitepaper how to run an exploit on code not compiled with the randomization switch

37. Vista Piracy • Volume Activation 2.0 • Cracks currently fall into 3 categories • KMS in Virtual Machine (VMPlayer) • TimeStop (aka 2099 Crack) • FrankenBuild (RC1 components mixed with RTM) • Bottom Line: • Updates to WGA will detect and disable • Many Cracks come with trojans for no extra charge.

39. Bitlocker: Crash Course • Several Options: • TPM Only (this is default) • TPM + PIN • TPM + USB • USB Only (no TPM present) • AES 128bit or 256bit based encryption • Brute Force currently computationally unfeasible • If no PIN present, then stolen machines can still be attacked by traditional methods (ie. TPM is present, and decryption happens at boot)

40. Bitlocker: Secure Enough? • Attacks against TPM only mode • Warm boot without destroying memory, grab keys from memory ghosts • Cold ghosting (memory remains charged long enough to capture) • PCI bus exploit with repurposed PC Card device and DMA (direct memory access) (e.g. CardBus DMA technique demoed by David Hulton at ShmooCon, 2006) • Xbox v1-style attacks • BIOS attacks (may involve removal, re-programming and compromise of Core Root of Trust for Measurement (CRTM) • TPM+MultiFactor • Brute force PIN (mitigated by TPM anti-hammering) • Key wear analysis (theoretical) • BitLocker Aware Boot-Rootkits • Multi-Visit Attacks (Hobble Bitlocker, then steal laptop) • Lost machine while unlocked (one chance threat) • The best presentation I could find on bypassing BitLocker was actually put out by Microsoft themselves. Presentation by Douglas MacIver at Hack in the Box 2006.

41. BitLocker: Secure Enough? • Team Blog violently opposes and denies any gov’t backdoor. If one is legislated, they promise to disclose or withdraw the feature • No apparent “easy to execute” attacks (yet)

42. PatchGuard • Also known as Kernel Patch Protection (KPP) • Not to be confused with requirement for signed drivers • Means you can`t mess with the kernel • Exists for all x64 versions of Windows • 5 or 6 bypass methods can be found searching, although little PoC exists, no methods appear to work with Vista • Authentium "broke" Patchguard on RC • Joanna`s raw-disk access Patchguard exploit shutdown with RC2 • Designed to both limit rootkit exposure and stop vendors from using undocumented kernel manipulation

43. PatchGuard • This really is what all the AV vendors are upset about • Symantec has posted a paper on how to disable first the kernel signed driver requirement and then Patchguard (not updated with RTM info, but I believe it would still work). Involves taking ownership on ACL’s from TrustedInstaller (set by Windows Resource Protection), then patching NTOSKRNL.EXE and WINLOAD.EXE • Most recent paper by Ken Johnson (Skywing) at http://www.nynaeve.net/ - Posted Jan 29

44. Notes on Secure Deployment • Use BDD 3.0 for standardized rollout • Read all 107 pages of Microsoft’s “Vista Security Guide”  • GPOAccelerator.wsf creates Domain, User, Desktop and Laptops GPO’s for you! • Deploy 64bit if possible (its more secure) • Make sure your AV vendor supports Vista and x64 • Train users on UAC • Replace Defender with something enterprise class

45. CMS Training Offerings • INSPIRE Infrastructure Workshop • 4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server • Business Desktop Deployment – Deploying Vista/Office • 3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office • Securing Internet Information Services • Securing ActiveDirectory • Securing Exchange 2003 • 1 day classroom training per topic TRAINING BY EXPERTS FOR EXPERTS

46. SIGN UP NOW!http://www.sector.ca/